Master the Linux Network Stack: A Complete Illustrated Guide

Fundamental concepts

Link – physical connection between nodes (copper, fiber, satellite, etc.)

Node – device such as a computer, hub, switch or router

Protocol – rules for message format, semantics and timing between peer entities

Service – functionality offered by a layer to the layer above it

Entity – any hardware or software process that can send or receive messages

PDU – protocol data unit exchanged between peer layers

Network models

C/S (client‑server): client requests service, server provides it; client must know server address

B/S (browser‑server): web browser interacts with a server that hosts databases (SQL Server, MySQL, …)

P2P (peer‑to‑peer): each host acts as both client and server; fundamentally a C/S relationship

LAN, MAN, WAN, PAN – classification by geographic scope (≈1 km, 5‑50 km, 10 m, tens to thousands of km respectively)

Physical layer

Signal encoding methods:

NRZ – ‘1’ is high level, ‘0’ is low level

Manchester – each bit contains a transition (1: high→low, 0: low→high)

Factors that affect signal distortion: transmission rate, distance, medium, noise.

Transmission media:

Twisted‑pair (4‑pair, shielded vs. unshielded, T568A/B straight‑through vs. crossover)

Coaxial cable (50 Ω for LAN/digital, 75 Ω for TV/analog)

Fiber (single‑mode for long distance, multi‑mode for short distance, LED vs. laser sources)

Wireless (radio, infrared, etc.)

Data link layer

Key functions:

Frame encapsulation (SOH/EOT delimiters)

Transparent transmission (byte stuffing or bit stuffing)

CRC error detection – sender appends n‑bit CRC, receiver divides by polynomial P; remainder 0 means no error.

PPP over point‑to‑point links:

Frame format includes flag (0x7E), address, control, protocol, payload, FCS.

Zero‑bit stuffing – insert a 0 after five consecutive 1s.

Byte stuffing – replace 0x7E with 0x7D5E, 0x7D with 0x7D5D, etc.

CSMA/CD on broadcast Ethernet:

Contention period = 2τ (τ = one‑way propagation time). For 10 Mbit/s Ethernet, 2τ = 51.2 µs.

Backoff after a collision: wait r·2τ where r ∈ {0,…,2^k‑1}, k = min(retransmission count, 10). After 16 collisions the frame is discarded.

Network layer

IP addressing:

Class A: 0.0.0.0‑127.255.255.255

Class B: 128.0.0.0‑191.255.255.255

Class C: 192.0.0.0‑223.255.255.255

Class D (multicast): 224.0.0.0‑239.255.255.255

Class E (reserved): 240.0.0.0‑255.255.255.255

Special addresses: network address (host bits 0), broadcast address (host bits 1), loopback 127.0.0.1, link‑local 169.254.0.0/16, etc.

Subnetting – use a subnet mask (e.g., 255.255.255.0) to separate network and host portions; calculate network address, broadcast address, number of subnets and hosts per subnet.

CIDR – address/prefix notation (e.g., 200.23.16.0/23 → mask 255.255.254.0). Route aggregation merges contiguous prefixes into a larger one.

ARP – resolves an IPv4 address to a MAC address:

Host A broadcasts an ARP request.

Host B replies with its MAC.

Result is cached in the ARP table.

IPv4 header fields (excerpt):

IHL – 4 bits, header length in 32‑bit words (5‑15 → 20‑60 bytes)

Total Length – 16 bits, max 65535 bytes (must ≤ MTU)

TTL – 8 bits, decremented by each router; packet discarded at 0.

Protocol – 8 bits (6 = TCP, 17 = UDP, 1 = ICMP, 41 = IPv6)

Header checksum – 16 bits, computed over header only.

Fragmentation:

Identification (16 bits) same for all fragments of a datagram.

Flags: MF (more fragments), DF (don’t fragment).

Fragment offset – 13 bits, unit = 8 bytes.

Routing protocols:

RIP (distance‑vector)

Metric = hop count (max 15, 16 = unreachable).

Updates every 30 s; uses split horizon, poison reverse.

Simple but slow convergence, limited to small networks.

OSPF (link‑state)

Each router builds a link‑state database of the whole AS.

Runs Dijkstra’s algorithm to compute shortest‑path tree.

Divides AS into areas; area 0 is the backbone.

BGP (path‑vector)

Used between autonomous systems.

Exchanges reachable prefixes and attributes (AS‑PATH, NEXT‑HOP).

Establishes TCP session on port 179.

MPLS

At the ingress LSR a label (short integer) is pushed onto each packet; forwarding is based on the label rather than the IP header. Labels map to Forwarding Equivalence Classes (FECs).

Transport layer

UDP – connectionless, supports unicast/multicast/broadcast, no reliability, checksum optional.

UDP header (8 bytes):

Source Port (16 bits) | Destination Port (16 bits)
Length (16 bits) | Checksum (16 bits)

Checksum calculation:

Set checksum field to 0.

Sum 16‑bit words, adding overflow back into LSB.

Take one's complement of the sum.

TCP – connection‑oriented, reliable, flow‑ and congestion‑controlled.

TCP header (minimum 20 bytes):

Source Port | Destination Port
Seq Number (32 bits)
Ack Number (32 bits)
Data Offset (4 bits) | Reserved | Flags (6 bits)
Window (16 bits)
Checksum (16 bits)
Urgent Pointer (16 bits)

Flags: URG, ACK, PSH, RST, SYN, FIN.

Three‑way handshake:

Client → SYN, Seq = x

Server → SYN+ACK, Seq = y, Ack = x+1

Client → ACK, Ack = y+1 (connection established)

Four‑step termination (FIN/ACK exchange) – both sides close their send side.

Retransmission timeout (RTO):

RTO = SRTT + 4·RTTVAR
SRTT = (1‑α)·SRTT + α·SampleRTT   (α≈1/8)
RTTVAR = (1‑β)·RTTVAR + β·|SRTT‑SampleRTT|   (β≈1/4)

Flow control – receiver advertises a window size; sender must not exceed it.

Congestion control – slow start (cwnd doubles each RTT until ssthresh), then congestion avoidance (cwnd += 1 per RTT). On timeout or three duplicate ACKs, ssthresh = cwnd/2, cwnd = 1 (slow start).

ACK strategies:

Cumulative ACK – acknowledges all bytes up to the highest in‑order byte received.

Piggyback ACK – ACK is carried in a data segment heading in the opposite direction.

Application layer

DNS

Hierarchical namespace; root → TLD → authoritative zones.

Four server types: root, TLD, authoritative, local resolver.

Iterative query – resolver contacts each server in turn.

Recursive query – resolver does all the work for the client.

FTP

Control connection on TCP port 21 (commands, authentication).

Data connection on TCP port 20 (file transfer).

Anonymous FTP – login as “anonymous” with any password.

HTTP

Request line, header fields, optional body.

Response line, header fields, optional body.

HTTP/1.1 default is persistent connection; pipelining allows multiple requests without waiting for each response.

Email

SMTP (TCP 25) – sends mail between servers.

MIME – adds content‑type headers to support multimedia.

POP3 (TCP 110) – download‑and‑delete model.

IMAP (TCP 143) – server‑side mail management.

DHCP

Client broadcasts DHCPDISCOVER.

Server replies with DHCPOFFER (IP, mask, gateway, DNS).

Client sends DHCPREQUEST for the chosen offer.

Server sends DHCPACK – lease granted.

Lease renewal typically at 50 % of lease time; if no response, retry at 87.5 %.

P2P file distribution

Uses tit‑for‑tat strategy: each node selects the four fastest neighbors to send chunks, re‑evaluates every 10 s, and randomly contacts a fifth node every 30 s to discover new peers.

Network security

Eavesdropping – passive capture of traffic.

Tampering – modification of captured traffic.

Malware – malicious code execution.

DoS – overwhelming a target with traffic.

Cryptography:

Symmetric – same key for encryption/decryption (K₁ = K₂).

Asymmetric – public key (E) for encryption, private key (D) for decryption.

Digital signatures provide authentication, integrity, and non‑repudiation.

Key distribution mechanisms:

KDC (Key Distribution Center) – shared secret between client and KDC.

CA (Certificate Authority) – issues X.509 certificates binding public keys to identities.

Wireless LAN

Infrastructure mode – stations communicate via an Access Point (AP).

Ad‑hoc mode – stations communicate directly without an AP.

CSMA/CA operation:

Station senses idle channel, waits DIFS (≈128 µs).

Transmits frame; receiver waits SIFS (≈28 µs) then sends ACK.

If channel busy, station selects random backoff counter; decrements while idle, transmits when counter reaches zero.

Hidden‑node problem occurs when two stations cannot hear each other but both interfere at a common receiver.

802.11 frame format includes four address fields (RA, TA, DA, SA) to support distribution systems.

Comparative tables (selected)

Address length: MAC 6 B, IPv4 4 B, IPv6 16 B, Port 2 B.

Header size: Ethernet 18 B (incl. CRC), IPv4 20‑60 B, IPv6 40 B.

Error checking: CRC (link), IPv4 checksum, TCP/UDP checksum.

Routing protocols – RIP (hop count, max 15), OSPF (link‑state, Dijkstra), BGP (path‑vector, policy), MPLS (label‑based forwarding).

Key command reference

ipconfig – /all, /displaydns, /flushdns, /release, /renew

ping – -n count, -l size, -t (continuous)

tracert – trace path to destination.

arp – -a (display), -d (delete), -s (static entry)

Glossary (selected terms)

ISP – Internet Service Provider

IXP – Internet Exchange Point

Hub – multi‑port repeater (physical layer)

LAN, MAN, WAN, PAN – local, metropolitan, wide, personal area networks

WLAN – wireless LAN (Wi‑Fi)

VLAN – virtual LAN (layer‑2 segmentation)

P2P, C/S – peer‑to‑peer, client‑server models

CSMA/CD – carrier sense multiple access with collision detection (wired Ethernet)

CSMA/CA – carrier sense multiple access with collision avoidance (wireless)

LiFi – visible‑light communication

ADSL, HFC, FTTH – broadband access technologies

URL – uniform resource locator

VPN – virtual private network (tunneling, encryption)

IPSec – suite for securing IP traffic

NAT – network address translation

ICMP – control messages (e.g., ping, destination unreachable)

IGMP – multicast group management

MSS – maximum segment size (TCP)

BGP – border gateway protocol (inter‑AS routing)

AS – autonomous system

HTTPS – HTTP over TLS/SSL

MPLS – multi‑protocol label switching

AP – access point (WLAN)

SSID – service set identifier (WLAN name)

AdHoc – peer‑to‑peer WLAN mode

Blockchain – distributed ledger with immutability and transparency.